-
Suggestion
-
Resolution: Fixed
There is currently no way of authenticating webhooks. While IP whitelisting could work, it is fragile and cumbersome to maintain a list of allowed IP addresses (even if said list is available through an API).
A simple & proven way of authenticating any kind of payload is to join an HMAC signature with the payload.
All is required is a shared secret between Bitbucket and the webhook receiver. We should be able to provide said secret on the webhook configuration page (and the API). Then, Bitbucket sends the webhook with the computed HMAC (in a header or within the payload) so that the receiver can check it.
Please note that this feature is already implemented by Github.
- is related to
-
- Closed
-
- Closed
-
- Closed
-
ENT-1420 Failed to load
[BCLOUD-12195] Webhook HMAC signature (security issue)
We are actively looking into a range of different approaches towards adding additional security and verifiability to webhooks including symmetrical secrets and HMAC signatures.
What? Why isn't this implemented..? HMAC signatures are such a small feature with such a large benefit!
There is a feeling that security issues are a serious problem. I always try to take care of my security, even on the Internet. So before doing an electronic signature on some website, I asked my colleagues where they did their signatures. And most of them told me about https://createmysignature.com/ even though I had never heard about this site before. And you can really trust it.
We gave up and stepped back from implementing webhooks with Bitbucket. 🤷
Hi everyone, we're excited to announce that we've just gone live with a feature to add Signing to Webhooks from Bitbucket Cloud.
More information is available here: https://bitbucket.org/blog/enhanced-webhook-security
I would like to acknowledge that this capability is overdue. I hope that the implementation of this, coupled with recent enhancements to our API Tokens (https://bitbucket.org/blog/access-your-bitbucket-cloud-repositories-more-securely-with-resource-scoped-access-tokens, https://bitbucket.org/blog/introducing-project-and-workspace-access-tokens), and the work we are doing to bring Forge to Bitbucket Cloud is helping to demonstrate our commitment to growing Bitbucket Cloud into a powerful platform for customers to build their own DevOps tooling on.
If there are other critical gaps in Bitbucket Cloud's functionality that are preventing you from building out integration and automation solutions that your team needs, please feel free to get in touch with me directly: emunday@atlassian.com
And before I get a torrent of emails saying "API Rate Limits"... yes... we're working on it!